The Reasons Behind Security Advice
Trying to put some background and context into the most common advice
Photo credit: Headway on Unsplash
8 min read
The media/public opinion is in an odd place with cyber security, on one hand you have an army of very clever people coming up with all sorts of awesome ways of securing stuff. The other you have cowboy coders or those grappling with ancient systems who are a combination of clueless, arrogant and in a tough situation to begin with. Finally the general public, who don't understand the concepts behind all of this (why would/should they), yet are the ones who suffer from data breaches etc.
This post aims to quell and explain 3 of most common the buzz words / phrases in the media, as intelligibly as possible.
This is an excellent example of simple advise behind a very complex problem. Lets start off with the obvious reason, if you password is "password" you won't need an expert to hack your account. Lets upgrade to "pickles", ok, a modicum of security, you wouldn't guess that, still awful. All we need is to set a computer up to try loads of passwords for your account, this is called a brute force attack (a generalised expression for a trial and error method). Hopefully after X many failed attempts you will be locked out (this is the reason for this by the way).
But, it doesn't stop here, and it starts getting a little more technical. Password hashing is the way coders should be keeping your password safe, here is a full article, but the bit we need to know is a that your password is hashed into a garbled data string that can't be reverse engineered back to your password. When you submit a password this process is done again and if the stored hash and the one from the password you submitted match, then you gain access to whatever is being protected. So far so good...
Tables of hashes get stolen, its just the way things are and will probably continue to be. Not from the big guys, but in this case, that doesn't matter. Now lets say we use our previous best password "pickles" for a website that then has their user table stolen, but they know what they are doing and have hashed all the passwords. On first glance, no harm done, they can't get your password.
Nope, if I (the hacker) run a script that creates a hash for every word in the dictionary, I can just match up the user's hashes with my own ones. The password "pickles" and any other weak passwords will get found out. This is the important bit, if your password is compromised in this way it is likely going to be connected to your username and/or email address; the attacker can go around common websites and try out your username/email/password combination and if you have used the same password multiple times, gain access. No provider can stop this attack, they are after all using the same information you do to log in.
A strong password with lots of numbers and punctuation are less likely/impossible to be compromised using a lookup table. By the way, along with the dictionary, common passwords and a host of other hash inputs are in these tables, "Pa33word" also isn't good enough.
If you skipped to this section, skim through the previous section; complex passwords are of vital importance to cyber security. The reason to use a password manager is very simply an extension of this; it enables you to use unique and completely random strings for passwords.
The benefit of a password manager is simply that it will do the leg work of remembering all of these passwords. If you can remember them all, awesome, you are as secure as possible, but most (all) of us can't. A password manager uses a single password to encrypt all your other passwords, so you only have to remember one password to be safe.
Where can I get one? All sorts of free, paid for and integrated solutions exist. The only word of caution is do a quick check to make sure a password manager provider is reputable; you are giving them all your passwords after all.
The biggest problem (from research of public opinion) with this security concept is its a bit new and no-one has a clue what it is/what it solves. The problem with passwords is that they can be entered by a computer, and hashes as we have just seen rely to a certain extent on the user not being a muppet. What we really want to do is avoid the issue of weak passwords all together.
Two factor authentication puts the physical aspect back into an authentication process. This changes everything, fundamentally an attacker has to get to you geographically, it pulls internet security into line with everyday crime we have been doing for centuries, much easier to deal with!
How this is done? Simple, use the user's mobile phone. The first easy one is to send the user an authentication code, the user must enter that code after entering their correct password to access their account. Nice and simple... until hacks and flaws were found in text message sending.
Another bread of 2 factor authentication is to get an app on your phone that allows the above process to be done without needing a message to be sent. When you first set up 2 factor authentication on the website etc, it gives you a code which is stored in the app. The app then generates a sequence of numbers based on your original code and importantly the time of generation. When you login you use your username and password, then you type in this code (making the 2 factors the name suggests). What has time got to do with anything though?
Time is essentially the "communication" between the device and the website. Since time is constant at the device and the web server (ok, to within a second, let's not get into general relativity), both the web server and device can take the original setup code and the current time to generate the same login code. These codes are also temporary; if someone looks over your shoulder and sees your code they would need to use it within ~10 seconds, and still need your password.
In my opinion, time based 2 factor authentication is the gold standard when it comes to login security.
Ahhhh the padlock, a symbol of security that has been drilled into every computer user since cyber security became an issue. We are of course talking specifically here about the padlock that appears to the left hand side of the URL bar in any internet browser (you would have to go far back in time to find a browser that doesn't have this feature).
This says your browser has made a secure SSL encryption to the website/service. This security measure is best described by explaining what the default behaviour of the web is. By default, your message to the website, and its response, is sent in plain text. To connect to a website your request is sent through many many devices and software; your router at home, to proxy servers, to internet routers, the list goes on.
The problem that no-one is responsible for keeping all this infrastructure secure, that is the beauty and also the "problem" with the internet. Anyone can monitor traffic through all of these nodes, and no single body is responsible for stopping this. This is government level tracking the data flowing into a country down to small time hackers taking control of your wifi router; in every case your request to the website and its response can be read without SSL.
So, with SSL encryption (the "https" protocol), and the padlock your browser shows you as a result, all means that your data is sent and reviewed in encrypted format; its cant be read for the entirely of its journey through the internet. The technical details are outside the scope of this article, but its clever and as ever, many very bright people have made sure it works.
"Why does it matter?" is a common question. Lets say you don't mind about your internet privacy at all, I honestly don't blame you. The simple answer is that when you log into a site without using SSL, you are sending your username and password in plaintext to anyone monitoring your path through the internet. To put it another way; there is no point in a lot of internet security if you don't use SSL.
The other major benefit is that SSL ensures that the real owner of that web domain is serving and receiving your content. Domain names can be spoofed (there is a lot of work to stop this but it can still happen), SSL encryption is another way of making sure your data is only being sent to the intended recipient.